3,000 Orgs Open to Equifax-type Breaches

The number of organizations that have downloaded vulnerable versions of the Struts2 component (CVE-2017-5638) totals 3,054, according to Sonatype.

Analyzing data from the Maven Central repository, the largest distribution point for Java open-source components, Sonatype found a startling lack of hygiene related to enterprise consumption of vulnerable Struts2 components, which were exploited in the massive breach at Equifax.

The company’s research reveals that in the last 12 months, organizations downloaded the exact version of Struts2 that was publicly disclosed as vulnerable on March 10, 2017 and subsequently exploited at Equifax between May and July 2017.

About 1,731 organizations downloaded versions of Struts2 that were publicly disclosed as vulnerable in July 2013, that resulted in numerous breaches in major organizations in the weeks following disclosure.

Also, a full 46,557 organizations downloaded a version of Struts and/or its sub-projects with known vulnerabilities despite perfectly safe versions being available.

In an effort to accelerate innovation and avoid redundant costs, organizations are embracing open source at an extraordinary pace. Last year alone, enterprise developers requested more than 100 billion components from repositories such as Maven Central, NPM and PyPI, Sonatype noted. Today, 80 - 90% of a typical application consists of open-source components, like Apache Struts. Yet, according to Sonatype’s 2017 DevSecOps Community Survey, 43% of organizations say they have no formal policy to govern the quality and security of open-source software components utilized in their applications.

Additionally, Sonatype’s 2017 State of the Software Supply Chain report found that 4.6% (1 in 22) of the components used in production software have known vulnerabilities.

“Like people who accidentally bring expired milk home from the grocery store, companies that download and deploy known vulnerable open-source components are simply not paying attention,” said Wayne Jackson, CEO of Sonatype. “The Equifax breach highlights the fact that perimeter security alone is not sufficient to protect personal data when hackers can easily exploit applications by targeting known vulnerable software components.”

Proposed legislation in the US and the General Data Protection Regulation (GDPR) soon to take effect in the European Union will hold organizations liable for poor software supply chain hygiene. In the past year in the US, the White House, four federal agencies, and the automotive industry have released new guidelines to improve the quality, safety and security of software supply chains.